Security Incidents mailing list archives
RE: Questions = Thanks
From: "Ihsahn Diablo" <traktopika () hotmail com>
Date: Wed, 21 Nov 2001 21:19:44 +0000
From: "Mark Piper" <markp () wlg nec co nz> Reply-To: <markp () wlg nec co nz> To: "'Ihsahn Diablo'" <traktopika () hotmail com> Subject: RE: Questions Date: Thu, 22 Nov 2001 09:32:42 +1300 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Ihsahn, Adore is a popular rootkit for redhat 6.x servers, I cant remember the link to the information on it, but I will Hunt it out for you... As for DP, it appears to redirect ports form your local machine to a remote host.... I have dp.c someplace round here, I will hunt it out for you... Could you please show us the results of a netstat -a? It shouldnt be too hard to spot how the intruders got in. Hope this helps =) Mark Piper
Thanks Mark, but i know what adore is (thanks to mike lewinski). My server have Redhat7.0, update it daily, every patch existent is applied. Soon i will upgrade him to Redhat 7.2 I'll thanks everybody who answered at may mail, and my conclusion is : dp is "datapipe" :), i beleaved it is a remote exploit. The way they entered in my system is fairly simple: they cracked another server witch have rights on mine (hosts.allow rulez), this is my conclusion after 2 days and 2 nights with no sleep to find how they entered (and a lot of phones :) ). I repet, i beleaved dp is a remote exploit, so i was't fairly scared becaused i don't know about him.
Chkrootkit was the first thing i'll did it. The second was'ed to check the other servers. Is strange, i'll found it (the rk) in one server and not on the others too.
So i have one more thing to ask you: to give me some good links about what to do after a break or what to do if somebody is in the middle of an atack.
Thanks a lot for your help, Best regards, Goba _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service.For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- RE: Questions = Thanks Ihsahn Diablo (Nov 21)
- Re: Questions = Thanks Pascal Nobus (Nov 21)
- Re: Questions = Thanks Devdas Bhagat (Nov 22)
- Re: Questions = Thanks Pascal Nobus (Nov 21)